Introduction

This section provides context, background, and the motivation behind this project.

Welcome

This project brings together several open-source tools to build a fully functional and professional-grade SIEM (Security Information and Event Management) solution. The goal is to create an ecosystem where each component complements the others, offering enhanced capabilities for log collection, analysis, and threat detection—entirely through open-source technologies.

Note:

This project is inspired by the SOCfortress initiative to build the "World's Best SIEM," as showcased in their YouTube series.

Context

This project was developed during an internship where I was responsible for building a tailored SIEM solution. During the initial research phase, I explored many open-source tools available on the market. Wazuh stood out as a strong candidate due to its rich features and community support.

However, despite Wazuh’s capabilities, I found that the solution could be further enhanced by integrating additional tools for log enrichment, advanced parsing, and extended alerting functionalities. This led to the creation of a more sophisticated, modular architecture.

Historical Background

Initially, Wazuh relied on Elasticsearch as its core engine for searching, indexing, and analyzing logs. In 2021, Elastic transitioned Elasticsearch to a more restrictive license, moving away from the Apache 2.0 license. This change posed significant limitations for its use in open-source environments.

To address this, Amazon Web Services (AWS) released OpenSearch, an open-source fork of Elasticsearch 7.10.2, under the Apache 2.0 license. This ensured the continuation of a free and community-driven search engine.

Following this shift, the Wazuh team developed their own fork—Wazuh Indexer—a customized version of OpenSearch tailored specifically for security-focused use cases and native integration with Wazuh components.

Project Motivation

Upon discovering the SOCfortress architecture, I was inspired to replicate a similar design. My initial goal was to introduce Graylog as a middleware component between the Wazuh Manager and the Wazuh Indexer to enhance log processing and visualization.

However, SOCfortress used earlier versions of OpenSearch and Wazuh, which were still compatible with Graylog. As the Wazuh ecosystem evolved, Wazuh Indexer became tightly coupled and no longer fully compatible with Graylog. Attempting to integrate them now often results in an error stating that the “Elasticsearch version is not compatible”—which actually refers to Wazuh Indexer, not Elasticsearch itself.

To work around this limitation, OpenSearch can be used as a direct replacement for Wazuh Indexer. OpenSearch offers advanced alert indexing and a wide range of plugins that can be used to enhance the SIEM stack.

📌 The specific versions of Wazuh, Graylog, and OpenSearch that are compatible will be listed in the Compatibility Phases section.